CVE-2024-34712

Oceanic is a NodeJS library for interfacing with Discord. Prior to version 1.10.4, input to functions such as Client.rest.channels.removeBan is not url-encoded, resulting in specially crafted input such as ../../../channels/id being normalized into the url /api/v10/channels/id, and deleting a...

Amazon Linux 2023 : nodejs24, nodejs24-devel, nodejs24-full-i18n (ALAS2023-2025-1348)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2025-1348 advisory. Use after free due to connection being cleaned up after error CVE-2025-62408 Tenable has extracted the preceding description block directly from the tested product security advisory. Note that Nessus h...

Amazon Linux 2023 : nodejs22, nodejs22-devel, nodejs22-full-i18n (ALAS2023-2025-1347)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2025-1347 advisory. Use after free due to connection being cleaned up after error CVE-2025-62408 Tenable has extracted the preceding description block directly from the tested product security advisory. Note that Nessus h...

Amazon Linux 2023 : nodejs20, nodejs20-devel, nodejs20-full-i18n (ALAS2023-2025-1346)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2025-1346 advisory. Use after free due to connection being cleaned up after error CVE-2025-62408 Tenable has extracted the preceding description block directly from the tested product security advisory. Note that Nessus h...

CVE-2024-14020

A weakness has been identified in carboneio carbone up to fbcd349077ad0e8748be73eab2a82ea92b6f8a7e. This impacts an unknown function of the file lib/input.js of the component Formatter Handler. Executing a manipulation can lead to improperly controlled modification of object prototype attributes...

CVE-2019-12047

Gridea v0.8.0 has an XSS vulnerability through which the Nodejs module can be called to achieve arbitrary code execution, as demonstrated by childprocess.exec and the "...

Medium: nodejs22

Issue Overview: Use after free due to connection being cleaned up after error CVE-2025-62408 Affected Packages: nodejs22 Issue Correction: Run dnf update nodejs22 --releasever 2023.10.20260105 or dnf update --advisory ALAS2023-2025-1347 --releasever 2023.10.20260105 to update your system. More...

Medium: nodejs20

Issue Overview: Use after free due to connection being cleaned up after error CVE-2025-62408 Affected Packages: nodejs20 Issue Correction: Run dnf update nodejs20 --releasever 2023.10.20260105 or dnf update --advisory ALAS2023-2025-1346 --releasever 2023.10.20260105 to update your system. More...

PT-2026-1548

Name of the Vulnerable Software and Affected Versions carboneio carbone versions prior to 3.5.6 Description A weakness exists in carboneio carbone up to version fbcd349077ad0e8748be73eab2a82ea92b6f8a7e. The issue resides in the Formatter Handler component, specifically within the file lib/input.j...

Atlassian Confluence < 9.2.6 / 9.3.x < 9.4.0 / < 9.4.0 / 9.5.x < 9.5.2 / 10.0.x < 10.0.2 / 10.1.0 (CONFSERVER-101488)

The version of Atlassian Confluence Server running on the remote host is affected by a vulnerability as referenced in the CONFSERVER-101488 advisory. - The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses such as 0x7f.1 are improperly categorized as globally routable...

Medium: nodejs24

Issue Overview: Use after free due to connection being cleaned up after error CVE-2025-62408 Affected Packages: nodejs24 Issue Correction: Run dnf update nodejs24 --releasever 2023.10.20260105 or dnf update --advisory ALAS2023-2025-1348 --releasever 2023.10.20260105 to update your system. More...

PT-2026-1342

Name of the Vulnerable Software and Affected Versions jsPDF versions prior to 4.0.0 Description jsPDF, a JavaScript library for generating PDFs, has a critical flaw in its Node.js builds. Prior to version 4.0.0, the loadFile, addImage, html, and addFont methods are susceptible to local file...

PT-2026-1337

Name of the Vulnerable Software and Affected Versions Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 Description The software contains a regular expression denial of service ReDoS issue within the UriTemplate class when handling RFC 6570 exploded array patterns. The dynamicall...

Exploit for Code Injection in Symfony Twig

Successful Errors: New Code Injection and SSTI Techniques !R...

Exploit for Deserialization of Untrusted Data in Facebook React

Affected Versions |Component|Recommended Installation Version...

PT-2026-28317

Name of the Vulnerable Software and Affected Versions Node.js versions 20.x through 25.x Description A flaw exists in Node.js HMAC verification where a non-constant-time comparison is used when validating signatures provided by a user. This could potentially leak timing information proportional t...

PT-2026-28316

Name of the Vulnerable Software and Affected Versions Node.js versions 20.x, 22.x, 24.x and v25.x Description A flaw in Node.js HTTP request handling results in an uncaught TypeError when a request includes a header named proto and the application accesses req.headersDistinct. Specifically, dest"...

PT-2026-3360

Name of the Vulnerable Software and Affected Versions Node.js versions affected versions not specified Description A flaw in Node.js TLS error handling can allow remote attackers to crash or exhaust resources of a TLS server when pskCallback or ALPNCallback are in use. Synchronous exceptions thro...

PT-2026-28318

Name of the Vulnerable Software and Affected Versions Node.js versions 20 through 25 Description A memory leak can occur in Node.js HTTP/2 servers when a client sends WINDOW UPDATE frames on stream 0 connection-level that cause the flow control window to exceed the maximum value of 2³¹-1. The...

CVE-2025-15284

A flaw was found in qs, a module used for parsing query strings. A remote attacker can exploit an improper input validation vulnerability by sending specially crafted HTTP requests that use bracket notation e.g., a=value. This bypasses the arrayLimit option, which is designed to limit the size of...